3

In linux, there's two files where group definitions are specified. One of them is /etc/group and the other is /etc/gshadow. I want my regular user to be able to switch a group while starting a process without typing any passwords. It's important that the user shouldn't be a member of that group.

I've managed to do so by setting these two files in the following way:

# cat /etc/group | grep audio
audio:x:29:pulse

# cat /etc/gshadow | grep audio
audio:*::pulse,morfik

And now the user morfik is able to run, for instance, this command:

$ /usr/bin/sg audio -c "pulseaudio -D" 

$ ps -eo user,group,args | grep pulse
morfik   audio    pulseaudio -D
morfik   audio    /usr/lib/pulseaudio/pulse/gconf-helper

But there's a problem with grpck, which gives the following output:

# grpck
'morfik' is a member of the 'audio' group in /etc/gshadow but not in /etc/group

If I removed the user from the audio group from the /etc/gshadow file, and then tried to start the process, I would get the following error:

sg[2378]: Failed to crypt password with previous salt of group 'audio'

So the question really is: should I be worried about grpck's message? Maybe is there a way to fix the sg's error so everybody would be happy?

Mikhail Morfikov
  • 10,549
  • I have an idea that is a security risk adding users to the audio group but not finding much about it in google. Have a look at grpconv and grpunconv – Rui F Ribeiro Nov 22 '15 at 13:23
  • It's not that big of a deal with adding users to the audio group, at least when you don't share your pc with anyone else. I just want my pc to be able to play audio when the screen is locked. And the only way to do so is by adding users to the audio group or start pulseaudio with this group, and that's what I'm doing. I just wonder whether is there a problem when those two files don't match, when you have different group configuration in both of them. The solution has been working for many months without a problem, but recently I discovered grpck which gave me that message. – Mikhail Morfikov Nov 22 '15 at 14:53
  • Does current sudo support switching between groups? If so, then this is what you want. –  Nov 22 '15 at 15:10

1 Answers1

6

sg allows switching the primary group to a different supplementary group (i.e. a group for which the user is listed in /etc/group) without providing any authentication, or to switch the primary group to one that's mentioned in /etc/group by entering the password listed in /etc/group or /etc/gshadow. Thus, using sg, “without typing any passwords” and “shouldn't be a member of that group” are contradictory.

If the user can freely switch to the group, there's not much point in not making them members of the group. The only real advantage would be to log when they access the group.

The configuration you tried, with the user listed in gshadow but not in group, is not a supported configuration. The fact that it gave something close to what you wanted actually feels like a bug to me — gshadow shouldn't be granting group memberships that aren't listed in group. The manual states “You should use the same list of users as in /etc/group”. If you violate this recommendation, don't count on sensible or portable behavior.

If you want to allow a user to run a specific command as a group, with logging, you can use sudo. Run visudo and add a line like this after any non-NOPASSWD like that might concern that user:

morfik ALL = (morfik:audio) NOPASSWD: pulseaudio
Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060